From a1ce3844ac33bd8deec3df588c16ea681915ab7e Mon Sep 17 00:00:00 2001
From: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Date: Fri, 27 Sep 2024 20:47:02 +0200
Subject: [PATCH] Check for Trusted Publishing in magic link logic

---
 twine-upload.sh | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/twine-upload.sh b/twine-upload.sh
index fce4517..98d41b1 100755
--- a/twine-upload.sh
+++ b/twine-upload.sh
@@ -73,7 +73,11 @@ MAGIC_LINK_MESSAGE="::warning title=Create a Trusted Publisher::\
 A new Trusted Publisher for the currently running publishing workflow can be created \
 by accessing the following link(s) while logged-in as an owner of the package(s):"
 
-if [[ ! "${INPUT_REPOSITORY_URL}" =~ pypi\.org || ${#PACKAGE_NAMES[@]} -eq 0 ]] ; then
+
+[[ "${INPUT_USER}" == "__token__" && -z "${INPUT_PASSWORD}" ]] \
+    && TRUSTED_PUBLISHING=true || TRUSTED_PUBLISHING=false
+
+if [[ "${TRUSTED_PUBLISHING}" == true || ! "${INPUT_REPOSITORY_URL}" =~ pypi\.org || ${#PACKAGE_NAMES[@]} -eq 0 ]] ; then
     TRUSTED_PUBLISHING_MAGIC_LINK_NUDGE=""
 else
     if [[ "${INPUT_REPOSITORY_URL}" =~ test\.pypi\.org ]] ; then
@@ -90,8 +94,6 @@ else
     echo "${MAGIC_LINK_MESSAGE}" >> $GITHUB_STEP_SUMMARY
 fi
 
-[[ "${INPUT_USER}" == "__token__" && -z "${INPUT_PASSWORD}" ]] \
-    && TRUSTED_PUBLISHING=true || TRUSTED_PUBLISHING=false
 
 if [[ "${INPUT_ATTESTATIONS}" != "false" ]] ; then
     # Setting `attestations: true` without Trusted Publishing indicates